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BACKGROUND 


Purpose: 

The  policy  aims  to  support  the  objectives  of  the  District  Municipality  to  enable 
the  implementation  and  maintenance  of  effective  systems  to  identify  and 
mitigate  the  risks  that  threaten  the  attainment  of  service  delivery  and  other 
objectives  and  optimise  opportunities  that  enhance  institutional  performance. 

Background  on  Risk  Management: 

Government  Objectives  and  Risk  Management: 

The  concept  of  risk  management  is  not  new  as  the  basic  principles  of  service 
delivery  (Batho  Pele,  1997)  clearly  articulate  the  need  for  prudent  risk 
management  to  underpin  the  achievement  of  municipal  objectives. 

Municipalities  are  bound  by  constitutional  mandates  to  provide  products  or 
services  in  the  interest  of  the  public  good.  As  no  institution  has  the  luxury  of 
functioning  in  a  risk-free  environment,  the  District  Municipality  also  encounter 
risks  inherent  in  producing  and  delivering  such  goods  and  services. 

Stakeholders  understand  this  but  expect  Municipalities  to  perform  without  any 
unnecessary  exposure  to  risk.  In  other  words,  stakeholders  are  averse  to  value 
erosion  caused  by  risks  that  ought  to  be  detected  and  avoided  through  prudent 
management  actions. 

The  Municipal  Environment  is  fraught  with  unique  challenges,  such  as  lack  of 
capacity,  lengthy  decision  lead  times,  limited  resources,  competing  objectives 
and  infrastructure  backlogs  to  mention  a  few.  Such  dynamics  place  an  extra 
risk  management  burden  on  the  management  of  municipalities. 
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1 .2.1.5  Risk  management  is  a  management  tool  that  increases  an  institutions  prospect 
of  success  through  getting  it  right  the  first  time  and  minimising  negative 
outcomes.  Value  is  maximised  when  institutions  set  clear  and  realistic 
objectives,  develop  appropriate  strategies,  understand  the  intrinsic  risks 
associated  therewith  and  direct  resources  towards  managing  such  risks  on  the 
basis  of  cost-benefit  principles.  Within  high  performing  institutions,  risk 
management  is  a  strategic  imperative  rather  than  an  option. 

1.2.2  What  is  Risk? 

1 .2.2.1  There  are  numerous  definitions  of  risk,  which  are  informed  principally  by  the 
context  in  which  they  are  applied. 

1 .2.2.2  A  generic  definition  of  risk  is  as  follows:  “A  risk  is  any  threat  or  event  that  is 
currently  occurring,  or  that  has  a  reasonable  chance  of  occurring  in  the  future, 
which  could  undermine  the  institution’s  pursuit  of  its  goals  and  objectives.” 

1 .2.2.3  Risks  manifest  as  negative  impacts  on  goals  and  objectives  or  as  missed 
opportunities  to  enhance  institutional  performance.  Stakeholders  expect  the 
District  Municipality  to  anticipate  and  manage  risks  in  order  to  eliminate  waste 
and  inefficiency,  reduce  shocks  and  crises  and  to  continuously  improve  capacity 
for  delivering  on  their  institutionalised  mandates. 

1 .2.3  Risk  Management: 

1 .2.3.1  Risk  management  forms  part  of  management’s  core  responsibilities  and  is  an 
integral  part  of  the  internal  processes  of  an  institution.  It  is  a  systematic  process 
to  identify,  evaluate  and  address  risks  on  a  continuous  basis  before  such  risks 
can  impact  negatively  on  the  institutions  service  delivery  capacity. 

1 .2.3.2  When  properly  executed  risk  management  provides  reasonable,  but  not 
absolute  assurance,  that  the  institution  will  be  successful  in  achieving  its  goals 
and  objectives. 
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1 .2.4  Enterprise  Risk  Management: 

1 .2.4.1  Enterprise  risk  management  (ERM)  is  the  application  of  risk  management 
throughout  the  institution  rather  than  only  in  selected  business  areas  or 
disciplines.  ERM  recognises  that  risks  (including  opportunities)  are  dynamic, 
often  highly  interdependent  and  ought  not  to  be  considered  and  managed  in 
isolation.  ERM  responds  to  this  challenge  by  providing  a  methodology  for 
managing  institution-wide  risks  in  a  comprehensive  and  integrated  way. 

1 .2.5  Risk  Categories: 

1 .2.5.1  As  the  risk  environment  is  so  varied  and  complex  it  is  useful  to  group  potential 
events  into  risk  categories.  By  aggregating  events  horizontally  across  an 
institution  and  vertically  within  operational  units,  management  develops  an 
understanding  of  the  interrelationship  between  events,  gaining  enhanced 
information  as  a  basis  for  risk  assessment. 

1 .2.5.2  The  main  categories  to  group  individual  risk  exposures  are  as  follows: 


Risk  Category 

Description 

RISK  TYPE 

Human  Resources 

Risk  that  relate  to  Human  Resources  of  an 

INTERNAL 

Institution.  These  risks  can  have  an  effect 

on  an  institution’s  human  capital  with  regard 

to: 

•  Integrity  and  Honesty; 

•  Recruitment; 

•  Skills  and  Competence; 

•  Employee  wellness; 

•  Employee  relations; 

•  Retention;  and 

•  Occupational  health  and  safety 
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RISK  TYPE 

INTERNAL 

Knowledge  and 

Information  Management 

Risks  relating  to  an  institution’s 

management  of  knowledge  and  information. 

In  identifying  the  risks  consider  the  following 

aspects  related  to  knowledge  management: 

•  Availability  of  information; 

•  Stability  of  the  information; 

•  Integrity  of  information  data; 

•  Relevance  of  the  information; 

•  Retention  and  safeguarding. 

Litigation 

Risks  that  the  institution  might  suffer  losses 

due  to  litigation  and  lawsuits  against  it. 

Losses  from  litigation  can  possibly  emanate 

from: 

•  Claims  by  employees,  the  public, 

service  providers  and  other  third 

parties; 

•  Failure  by  an  institution  to  exercise 

certain  rights  that  are  to  its 

advantage. 

Loss/theft  of  Assets 

Risks  that  an  institution  might  suffer  losses 

due  to  either  theft  or  loss  of  an  asset  of  the 

institution. 

Material  resources 

(procurement  risk) 

Risks  relating  to  an  institution’s  material 

resources.  Possible  aspects  to  consider 

include: 

•  Availability  of  material; 

•  Costs  and  means  of  acquiring  / 

procuring  resources;  and 

•  The  wastage  of  material  resources. 

a 
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RISK  TYPE 

INTERNAL 

Information  Technology 

The  risks  relating  specifically  to  the 

institution’s  IT  objectives,  infrastructure 

requirement,  etc.  Possible  considerations 

could  include  the  following  when  identifying 

applicable  risks: 

•  Security  concerns; 

•  Technology  availability  (uptime); 

•  Applicability  of  IT  Infrastructure; 

•  Integration  /  interface  of  the  systems; 

•  Effectiveness  of  technology;  and 

•  Obsolescence  of  technology. 

Third  Party  Performance 

Risks  related  to  an  institution’s  dependence 

on  the  performance  of  a  third  party.  Risk  in 

this  regard  could  be  that  there  is  the 

likelihood  that  a  service  provider  might  not 

perform  according  to  the  service  level 

agreement  entered  into  with  an  institution. 

Non-performance  could  include: 

•  Outright  failure  to  perform; 

•  Not  rendering  the  required  service  in 

time; 

•  Not  rendering  the  correct  service; 

and 

•  Inadequate  /  poor  quality  of 

performance. 

Health  and  Safety 

Risks  from  occupational  health  and  safety  issues 

e.g.  injury  on  duty;  outbreak  of  disease  within 

the  institution. 

i 
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RISK  TYPE 
INTERNAL 


Disaster  Recovery  Risks  related  to  an  institution's  preparedness  or 

Business  Continuity  absence  thereto  to  disasters  that  could  impact 

the  normal  functioning  of  the  institution  e.g. 
natural  disasters,  act  of  terrorism  etc.  This 
would  lead  to  the  disruption  of  processes  and 
service  delivery  and  could  include  the  possible 
disruption  of  operations  at  the  onset  of  a  crisis 
to  the  resumption  of  critical  activities.  Factors 
to  consider  include: 


•  Disaster  management  procedures;  and 

•  Contingency  planning. 

Compliance  /  Regulatory  Risks  related  to  the  compliance 

requirements  that  an  institution  has  to  meet. 
Aspects  to  consider  in  this  regard  are: 

•  Failure  to  monitor  or  enforce 
compliance; 

•  Monitoring  and  enforcement 
mechanisms; 

•  Consequences  of  non-compliance; 
and 

•  Fines  and  penalties  paid. 

Fraud  and  Corruption  These  risks  relate  to  illegal  or  improper  acts 

by  employees  resulting  in  a  loss  of  the 
institution’s  assets  or  resources. 
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RISK  TYPE 

INTERNAL 

Financial 

Risks  encompassing  the  entire  scope  of  general 

financial  management.  Potential  factors  to 

consider  include: 

• 

Cash  flow  adequacy  and  management 

thereof; 

• 

Financial  losses; 

• 

Wasteful  expenditure; 

• 

Budget  allocations; 

• 

Financial  statement  integrity; 

• 

Revenue  collection;  and 

• 

Increasing  operational  expenditure. 

Cultural 

Risks  relating  to  an  institution's  overall  culture 

and  control  environment.  The  various  factors 

related  to  organisational  culture  include: 

• 

Communication  channels  and  the 

effectiveness; 

• 

Cultural  integration; 

• 

Entrenchment  of  ethics  and  values; 

• 

Goal  alignment;  and 

• 

Management  style. 

Reputation 

Factors  that  could  result  in  the  tarnishing  of 

an  institution’s  reputation,  public  perception 

and  image. 

■ 
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RISK  TYPE 

EXTERNAL 

Risk  Category 

Description 

Economic  Environment 

Risks  related  to  the  institution’s  economic 

environment.  Factors  to  consider 

include: 

•  Inflation; 

•  Foreign  exchange  fluctuations; 

and 

•  Interest  rates. 

Political  Environment 

Risks  emanating  from  political  factors 

and  decisions  that  have  an  impact  on  the 

institution’s  mandate  and  operations. 

Possible  factors  to  consider  include: 

•  Political  unrest; 

•  Local,  Provincial  and  National 

elections;  and 

•  Changes  in  office  bearers. 

Social  Environment 

Risks  related  to  the  institution's  social 

environment.  Possible  factors  to  consider 

include: 

•  Unemployment;  and 

•  Migration  of  workers. 

■ 
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RISK  TYPE 

EXTERNAL 

Natural  Environment 

Risks  relating  to  the  institution's  natural 

environment  and  its  impact  on  normal 

operations.  Consider  factors  such  as: 

•  Depletion  of  natural  resources; 

•  Environmental  degradation; 

•  Spillage;  and 

•  Pollution. 

Technological  Environment 

Risks  emanating  from  the  effects  of 

advancements  and  changes  in 

technology. 

Legislative  Environment 

Risks  related  to  the  institution’s  legislative 

environment  e.g.  changes  in  legislation, 

conflicting  legislation. 

ENTERPRISE  RISK 
MANAGEMENT 


OVERSIGHT 

V 

ir 

f 

\ _ 

FRAMEWORK 

r 

PROCESS 

1 

IX 


DRIVERS 


IMPLEMENTORS 


ENABLERS 
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2. 


PROCESS  FRAMEWORK 


2.1  Internal  Environment: 

2.1.1  The  District  Municipality’s  internal  environment  is  the  foundation  of  risk 
management  providing  discipline  and  structure.  The  internal  environment 
influences  how  strategy  and  objectives  are  established,  institutional  activities 
are  structured,  and  risks  are  identified,  assessed  and  acted  upon.  It  influences 
the  design  and  functioning  of  control  activities,  information  and  communication 
systems  and  monitoring  activities. 

2.1.2  The  internal  environment  comprises  many  elements  including  an  institution’s 
ethical  values,  competence  and  development  of  personnel,  management’s 
operating  style  and  how  it  assigns  authority  and  responsibility. 

2.1 .3  The  internal  environment: 

•  Establishes  a  philosophy  regarding  risk  management.  It 
recognizes  that  unexpected  as  well  as  expected  events  may  occur. 
This  includes  activities  like  a  risk  management  policy,  setting  of 
risk  appetite  and  risk  tolerance  levels; 

•  Establishes  the  institution’s  risk  culture; 

•  Considers  all  other  aspects  of  how  the  institution’s  actions  may 
affect  its  risk  culture.  This  typically  includes  activities  such  as  risk 
management  reporting  lines. 

2.2  Objective  Setting: 

2.2.1  Objectives  must  exist  before  management  can  identify  events  potentially, 

affecting  their  achievement.  Risk  management  ensures  that  management  has 
a  process  in  place  to  both  set  objectives  and  align  the  objectives  with  the 
District  Municipality’s  mission  /  vision  /  organisational  values  and  is  consistent 
with  the  District  Municipality’s  risk  appetite  and  tolerance  levels.  The  setting 
of  these  objectives  is  usually  completed  during  the  “Strategic  planning  and 
budgetary  process”. 
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2.3  Risk  Identification: 

2.3.1  The  purpose  of  completing  a  risk  identification  exercise  is  to  identify,  discuss 
and  document  the  risks  facing  the  institution.  Management  almost  always 
know  what  risks  the  institution  is  exposed  to  but  they  do  not  always  formally 
record  such  risks.  This  necessitated  the  development  of  risk  identification 
guidelines  to  ensure  that  institutions  manage  risk  effectively  and  efficiently. 

2.3.2  The  risk  identification  is  defined  as  “the  process  of  determining  what,  where, 
when,  why  and  how  something  could  happen”.  Risk  identification  is  a 
deliberate  and  systematic  effort  to  understand  and  document  all  of  the  key 
risks  facing  the  institution. 

2.3.3  The  objective  of  risk  identification  is  to  generate  a  comprehensive  list  of  risks 
based  on  those  events  and  circumstances  that  might  enhance,  prevent, 
degrade  or  delay  the  achievement  of  the  objectives.  This  list  of  risks  is  then 
used  to  guide  the  analysis,  evaluation,  treatment  and  monitoring  of  key  risks. 

2.4  Risk  Assessment: 

2.4.1  The  risk  assessment  is  a  systematic  process  to  understand  the  nature  of  risk 
and  determine  the  level  of  risk.  The  risk  assessment  step  aims  to  develop  an 
understanding  of  the  risk.  It  provides  an  input  to  decisions  on  whether  risk 
response  is  necessary  and  the  most  appropriate  and  cost-effective  risk 
response  strategies. 

2.4.2  The  main  purpose  of  risk  assessment  is  to  help  management  to  prioritise  the 
identified  risks.  This  enables  management  to  spend  more  time,  effort  and 
resources  to  manage  risks  of  higher  priority  than  risks  with  a  lower  priority. 
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2.5  Risk  Response  Strategy: 

2.5.1  A  key  outcome  of  the  risk  identification  and  evaluation  process  is  a  detailed  list 
of  all  key  risks  including  those  that  require  treatment  as  determined  by  the 
overall  level  of  the  risk  against  the  institution’s  risk  tolerance  levels.  However, 
not  all  risks  will  require  treatment  as  some  may  be  accepted  by  the  institution 
and  only  require  occasional  monitoring  throughout  the  period. 

2.5.2  All  key  risk  identified  should  be  responded  to  however  not  all  these  risks  will 
require  treatment.  The  risks  that  fall  outside  of  the  institution’s  risk  tolerance 
levels  are  those  which  pose  a  significant  potential  impact  on  the  ability  of  the 
institution  to  achieve  set  objectives  and  therefore  require  treatment. 

2.5.3  The  purpose  of  responding  and  treating  risks  is  to  minimize  or  eliminate  the 
potential  impact  the  risk  may  pose  to  the  achievement  of  set  objectives. 

2.5.4  Risk  response  involves  identifying  the  range  of  options  for  responding  to  risks, 
assessing  these  options  and  the  preparation  and  implementation  of  response 
plans. 

2.5.5  Risk  response  may  involve  a  cyclical  process  of  assessing  a  risk  response, 
deciding  that  current  risk  levels  are  not  tolerable,  generating  new  risk 
response/s,  and  assessing  the  effect  of  that  response  until  a  level  of  risk  based 
on  the  agreed  risk  criteria  is  reached. 

2.6  Control  Activities: 

2.6.1  The  institution  can  respond  to  risk  through  various  mechanisms  such  as 

avoidance,  transfer,  accepting  and  managing  of  the  risk.  When  the  institution 
elects  to  manage  the  risk,  it  will  require  control  activities  to  support  the 
management  of  the  risk  to  within  tolerable  levels. 


CKDM:  RISK  POLICY 


14 


2.6.2 


The  risk  assessment  will  have  produced  a  management’s  perspective  of  the 
effectiveness  of  the  existing  controls.  This  would  inform  management  of 
additional  control  interventions  required  to  better  manage  the  risk  exposures 
to  an  acceptable  level.  Management  will  be  able  to  consider  the  best  control 
options  from  various  alternative  control  types: 


2.6.2. 1 

Management  Controls: 

These  ensure  that  the  institutions  structure  and  systems  support 

the  policies,  plans  and  objectives  and  operate  within  laws  and 

regulations. 

2. 6. 2. 2 

Administrative  Controls: 

These  ensure  that  policies  and  objectives  are  delivered  in  an 

efficient  and  effective  manner  and  that  losses  are  minimised. 

2. 6. 2. 3 

Accounting  Controls: 

These  ensure  that  resources  allocated  are  accounted  for  fully  and 

transparently  and  are  properly  documented. 

2. 6. 2. 4 

Information  Technology  Controls: 

These  controls  relate  to  IT  systems  and  include  access  control, 

controls  of  system  software  programmes,  business  continuity 

controls  and  other  controls. 

2.6.3  Each  control  type  above  can  be  classified  as  either 


2.6.3. 1 

Preventative  Controls: 

These  controls  are  designed  to  discourage  errors  or  irregularities 

from  occurring  e.g.  adequate  physical  security  of  assets  to  prevent 

losses  such  as  theft  or  damage.  If  properly  enforced,  these 

controls  are  usually  the  most  effective  type  of  controls. 
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2. 6. 3. 2 


Detective  Controls: 


These  controls  are  designed  to  find  errors  or  irregularities  after 
they  have  occurred  e.g.  performance  of  reconciliation  procedures 
to  identify  errors. 

2.6. 3. 3  Corrective  Controls: 

These  controls  usually  operate  together  with  detective  controls  in 
order  to  correct  identified  errors  or  irregularities. 

2.7  Information  and  Communication: 

2.7.1  Relevant  information,  properly  and  timeously  communicated  to  relevant 

stakeholders,  is  essential  in  order  to  equip  such  stakeholders  to  identify, 
assess  and  respond  to  risks. 

2.7.2  This  may  include  implementing  a  risk  management  reporting  system,  incident 
reporting  system  and  emergency  risk  warning  system. 

2.8  Monitoring: 

2.8.1  Risk  management  should  be  regularly  monitored  -  a  process  that  assesses 

both  the  presence  and  functioning  of  its  components  and  the  quality  of  their 
performance  over  time.  Monitoring  can  be  done  in  two  ways: 

2.8.1 .1  Through  ongoing  activities;  or 

2.8. 1.2  Separate  evaluations. 

2.8.2  This  will  ensure  that  risk  management  continues  to  be  applied  at  all  levels  and 
across  the  institution. 
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3. 


DRIVERS  OF  RISK  MANAGEMENT 


3.1  Risk  Management  as  a  Service  Delivery  Imperative: 

3.1.1  Risk  management  benefits  the  institution  by  underpinning  and  bolstering 

institutional  performance  through: 

3.1 .1 .1  More  efficient,  reliable  and  cost-effective  delivery  of  services; 

3. 1.1. 2  More  reliable  decisions; 

3. 1.1. 3  Innovation; 

3. 1.1. 4  Minimised  waste  and  fraud; 

3.1 .1.5  Better  value  for  money  through  more  efficient  use  of  resources; 

3. 1.1. 6  Improved  project  and  programme  management,  which  provide 
better  outputs  and  outcomes. 

3.2  Legal  Framework: 

3.2.1  Municipality  and  Municipal  Entity: 

3.2.1 .1  The  Local  Government:  Municipal  Finance  Management  Act,  56  of 
2000  (MFMA); 

3. 2. 1.2  The  Local  Government:  Municipal  Structures  Act,  1 17  of  1998;  and 

3.2.1 .3  The  Local  Government:  Municipal  Systems  Act,  32  of  2000. 

3.3  Accounting  Officer: 

3.3.1  Section  95l(i)  of  the  Municipal  Finance  Management  Act  (Act  56  of  2003) 
(MFMA)  applies. 
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3.3.2  Section  95  l(i)  of  the  MFMA  requires  that: 

“The  accounting  officer  of  a  municipal  entity  is  responsible  for 
managing  the  financial  administration  of  the  entity ,  and  must  for 
this  purpose  take  all  responsible  steps  to  ensure- 

(I)  that  the  entity  has  and  maintains  effective,  efficient  and  transparent 

systems- 

(i)  of  financial  and  risk  management  and  internal  control” 

3.4  Management,  Other  Personnel,  Chief  Risk  Officer ,  Risk  Champions: 

3.4.1  Section  105  of  the  Municipal  Finance  Management  Act  (Act  56  of  2003) 
(MFMA)  applies. 

3.4.2  The  extension  of  general  responsibilities  in  terms  of  Section  105  of  the  MFMA 
to  other  officials  of  municipal  entities  implies  that  responsibility  for  risk 
management  vests  at  all  levels  of  management  and  that  it  is  not  limited  to  only 
the  accounting  officer  and  internal  audit. 

3.5  Internal  Auditors: 

3.5.1  Section  165(2)  (a),  (b)(iv)  of  the  Municipal  Finance  Management  Act  (Act  56 
of  2003)  (MFMA)  applies. 

3.5.2  Section  1 65(2)(a),  (b)(iv)  of  the  MFMA  requires  that: 

“(2)  The  internal  audit  unit  of  a  Municipality  or  municipal  entity  must: 

(a)  prepare  a  risk-based  audit  plan  and  an  internal  audit 
program  for  each  financial  year; 

(b)  advise  the  accounting  officer  and  report  to  the  audit 
committee  on  the  implementation  on  the  internal  audit 
plan  and  matters  relating  to: 
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(iv)  risk  and  risk  management 


3.5.3 


Section  2110  -  Risk  Management  of  the  International  standards  for  the 
Professional  Practice  of  Internal  Auditing  states: 

“The  internal  audit  activity  should  assist  the  organisation  by  identifying  and 
evaluating  significant  exposures  to  risk  and  contributing  to  the  improvements 
of  risk  management  and  control  systems- 


2110A1  -  The  internal  audit  activity  should  monitor  and  evaluate  the 
effectiveness  of  the  organisation’s  risk  management  system; 

2001  A2-  The  internal  audit  activity  should  evaluate  risk  exposures 
relating  to  the  organisation’s  governance,  operations,  and 
information  systems  regarding  the- 

•  Reliability  and  integrity  of  financial  and 
operational  information; 

•  Effectiveness  and  efficiency  of  operations; 

•  Safeguarding  of  assets; 

•  Compliance  with  laws,  regulations,  and 

contracts. 


2110  Cl-  During  consulting  engagements,  internal  auditors  should 
address  risk  consistent  with  the  engagement’s  objectives  and 
be  alert  to  the  existence  of  other  significant  risks. 

2110  C2-  Internal  Auditors  should  incorporate  knowledge  of  risks  gained 
from  consulting  engagements  into  the  process  of  identifying  and 
evaluating  significant  risk  exposures  of  the  organisation.” 
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3.6 


Audit  Committee: 


3.6.1  Section  1 66(2)(a)(ii)  of  the  MFMA  states: 

“(2)  An  audit  committee  is  an  independent  advisory  body  which 

must- 

(a)  advise  the  municipal  council,  the  political  office¬ 
bearers,  the  accounting  officer  and  the  management 
staff  of  the  Municipality,  or  the  board  of  directors,  the 
accounting  officer  and  management  staff  of  the 
municipal  entity,  on  matters  relating  to- 

(ii)  Risk  management” 

3.7  Corporate  Governance  Guidelines: 

3.7.1  Municipalities  are  encouraged  to  adhere  to  the  principles  espoused  in  the  King 
III  Report  on  corporate  Governance  (King  III)  given  its  promotion  of  an 
advanced  level  of  institutional  conduct.  King  III  discusses  the  following  risk 
management  principles,  which  could  be  of  value  to  the  institution: 

•  Introduction  and  definition  of  risk  management; 

•  Responsibility  for  risk  management; 

•  Assimilating  risk  to  the  control  environment;  and 

•  Application  of  risk  management. 

3.7.2  Similarly,  the  principles  of  Batho  Pele  clearly  articulate  the  need  for  prudent 
risk  management  to  underpin  government  objectives.  Batho  Pele  strives  to 
instil  a  culture  of  accountability  and  caring  by  public  servants.  Further 
objectives  of  Batho  Pele  include  supporting  the  government’s  governance 
responsibilities,  improving  results  through  more  informed  decision-making, 
strengthening  accountability  and  enhancing  stewardship  and  transparency,  all 
of  which  resonate  well  with  the  principles  of  risk  management. 
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4. 


ENABLERS  OF  RISK  MANAGEMENT 


4.1  Risk  Management  Strategy: 

4.1 .1  The  risk  management  strategy  guides  the  institution  on  how  to  implement  its 
risk  management  policy. 

4.1.2  The  strategy  should  articulate  a  high-level  plan  of  action  to  improve  the 
institutions  risk  profile.  A  Risk  Management  Implementation  Plan  informed  by 
the  institutions  most  recent  risk  profile  should  supplement  the  risk 
management  strategy. 

4.2  Developing  a  Risk  Management  Strategy: 

4.2.1  There  is  one  main  output  from  this  particular  task.  It  is  a  document  that 
describes  how  ongoing  risk  management  will  work  in  the  institution. 

4.2.2  The  risk  management  strategy  should  consider  the  following  five  main 
elements: 

4.2.2. 1  Structural  Configuration: 

This  element  describes  how  the  institution  will  be  structured  in 
terms  of  committees  and  reporting  lines  to  give  effect  to  the  risk 
management  policy. 

4.2. 2. 2  Accountability,  Roles  and  Responsibilities: 

This  element  describes  the  authority  and  delegation  of 
responsibilities  to  give  effect  to  the  risk  management  policy. 
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4. 2. 2. 3 


Risk  Management  Activities: 


This  element  includes  the  risk  assessment  of  whether  or  not  key 
milestones  are  achieved.  More  importantly  it  is  also  monitoring 
whether  the  risk  management  strategy  is  producing  the 
sustainable  outcomes  as  originally  envisaged. 

4. 2. 2. 4  Assurance  Activities: 

This  element  considers  all  assurance  providers  available  to  the 
institution  and  integration  of  their  scope  of  responsibility. 

4.2.3  The  risk  management  strategy  should  include  a  risk  management 
implementation  plan,  in  the  form  of  a  project  plan  and  record  the  tasks,  names 
of  responsible  persons  and  target  dates. 

4.2.4  Documenting  the  risk  management  implementation  plan  also  overcomes 
problems  with  changes  in  personnel  and  is  a  good  way  of  creating  risk 
awareness  and  promoting  a  culture  of  risk  management. 

4.3  Developing  a  Risk  Management  Implementation  Plan: 

4.3.1  The  following  steps  need  to  be  taken  when  developing  the  risk  management 

implementation  plan: 

•  Determine  the  risk  management  activities  to  be  performed  taking 
into  account  the  risk  profile  and  related  costs  versus  the  benefits; 

•  Resourcing  requirements  - 

>  This  element  describes  the  capacity  and  competence 
of  personnel  and  the  strategy  to  address  capacity 
gaps.  It  also  addresses  the  technology  and  funding 
requirements  to  give  effect  to  the  risk  management 
strategy. 
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•  Determine  the  sequence  of  activities  and  the  target 
implementation  dates: 

>  The  competition  for  management  attention  and 
resources  requires  that  the  sequence  of  activities 
should  be  founded  on  the  principles  of  urgency,  quick 
wins  and  sustainability  of  implemented  risk  mitigation 
strategies. 

•  Assign  ownership  for  and  communicate  risk  management 
activities. 

•  Agree  on  frequency  and  format  of  reporting. 

4.4  Fraud  Risk  Management  Policy  and  Strategy: 

4.4.1  A  Fraud  Prevention  Plan  represents  an  important  component  of  the 
institution’s  overall  risk  management  strategy  and  must  be  addressed  by 
means  of  a  Fraud  Risk  Management  Policy  and  Fraud  Risk  Management 
Strategy. 

4.5  Basic  Requirements  for  Effective  ERM  Implementation: 

4.5.1  The  effectiveness  of  ERM  in  delivering  the  benefits  mentioned  in  paragraph 

2.1  is  strongly  correlated  with  the  investment  of  the  required  resources  and 
application  of  specialist  expertise.  Listed  below  are  the  required  resources: 

•  Competent  people; 

•  Information,  tools  and  technology; 

•  Funding  for  ERM. 
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4.5.2  These  fundamental  requirements  are  discussed  in  more  detail  in  the 

paragraphs  below: 

4.5.2. 1  Competent  Personnel: 

ERM  is  affected  by  various  people,  sometimes  as  members  of 
committees,  who  perform  distinctive  roles  and  undertake  specific 
responsibilities.  The  fact  that  all  people  involved  in  the  ERM 
process  must  be  competent,  willing  and  have  the  necessary 
capacity  to  perform  such  roles  cannot  be  overemphasised  as  the 
vast  majority  of  ERM  failures  can  be  attributed  to  the  failure  of 
people  rather  than  the  failure  of  modality. 

4.5. 2. 2  Organisational  Structure: 

The  challenge  for  the  institution  is  to  set  up  appropriate  internal 
structures  and  delegate  roles  and  responsibilities  in  such  a  way 
that  the  individual  contributions  of  all  role  players  in  terms  of  risk 
management  can  converge  in  a  systematic  and  coordinated 
manner.  The  organisational  structure  must  facilitate  efficient 
reporting  relationships  and  flow  of  information  between  these 
parties. 

4.5. 2. 3  Role  Players  and  Responsibilities: 

ERM  is  most  effective  when  performance  expectations  are  clearly 
defined,  communicated  and  integrated  into  performance 
agreements,  and  the  responsible  persons  perform  to  these 
expectations. 

The  people  responsible  for  ERM  can  be  categorised  into  three 
distinct  categories,  namely  implementers,  support  and  oversight. 
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5. 

5.1 

5.1.1 


5.2 

5.2.1 

5.2.2 

5.3 

5.3.1 


CKDM: 


IMPLEMENTORS 


Accounting  Authority  /  Officer: 

The  Accounting  Authority  /  Officer  are  ultimately  responsible  for  risk 
management  within  the  institution.  The  Accounting  Authority  /  Officer  approve 
the  risk  management  policy  and  strategy  for  the  institution  and  provide 
leadership  and  guidance  for  their  implementation.  The  Accounting  Authority  / 
Officer  are  accountable  to  the  Executive  Authority  regarding  the  effectiveness 
of  the  risk  management  process. 

Management: 

Management  owns  the  risks,  thus  taking  ownership  for  management  of 
institutional  risks. 

Management  are  accountable  to  the  Accounting  Authority  /  Officer  to  integrate 
the  principles  of  risk  management  into  their  daily  routines  to  enhance  the 
achievement  of  their  service  delivery  objectives. 

Other  Personnel: 

Other  personnel  are  accountable  to  line  management  to  integrate  the 
principles  of  risk  management  into  their  daily  routines  to  enhance  the 
achievement  of  their  functional  objectives. 
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6. 


SUPPORT 


6.1  Chief  Risk  Officer  (CRO): 

6.1 .1  The  CRO  provides  specialist  expertise  in  providing  a  comprehensive  support 
service  to  ensure  systematic,  uniform  and  effective  enterprise  risk 
management.  The  CRO  plays  a  vital  communication  link  between  operational 
level  management,  senior  management,  risk  management  committee  and 
other  relevant  committees.  The  CRO  is  thus  the  custodian  of  the  ERM 
framework,  the  co-ordinator  of  the  risk  management  throughout  the  institution 
and  the  institutional  advisor  on  all  risk  management  matters. 

6.2  Risk  Champions: 

6.2.1  A  Risk  Champion  is  usually  an  existing  member  of  the  senior  management 
corps  within  the  institution.  Risk  Champions  support  the  risk  management 
process  in  specific  allocated  areas  or  functions. 

6.2.2  A  Risk  Champion  has  sufficient  authority  to  drive  ERM  as  required  by  the 
institutions  risk  management  policy  and  strategy.  A  key  part  of  the  Risk 
Champions  responsibility  involves  escalating  instances  where  the  risk 
management  efforts  are  stifled,  such  as  when  individuals  try  to  block  ERM 
initiatives. 

6.2.3  The  Risk  Champion  also  adds  value  to  the  risk  management  process  by 
providing  guidance  and  support  to  manage  problematic  risks  and  risks  of  a 
transversal  nature. 

7.  OVERSIGHT 

7.1  Parliamentary  Oversight  Structures: 

7.1.1  Parliamentary  Oversight  Structures  are  responsible  for  overseeing  the 

complete  spectrum  of  governance  within  an  institution.  This  responsibility 
would  therefore  also  include  an  interest  in  the  effectiveness  of  the  process  of 
risk  management  within  the  institution. 
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7.2 

7.2.1 

7.2.2 

7.3 

7.3.1 

7.4 

7.4.1 

7.5 

7.5.1 


CKDM: 


Auditor-General: 

The  auditor-General  is  responsible  for  providing  an  opinion  on: 

•  The  reasonability  of  the  financial  statements  of  the  institution; 

•  Compliance  with  applicable  legislation. 

In  addition,  the  Auditor-General  is  required  to  highlight  weaknesses  or 
deficiencies  in  the  performance  reporting  of  the  institution.  In  providing  an 
opinion  on  compliance  with  legislation  the  Auditor-General  will  provide 
independent  assurance  on  the  effectiveness  of  the  risk  management  activities 
of  the  institution. 

National  and  Provincial  Treasury: 

National  &  provincial  Treasury  have  specific  duties  in  terms  of  the  MFMA  to 
monitor  and  assess  the  systems  of  risk  management  in  municipal  Entities, 
assist  with  building  risk  management,  capacity  in  Municipal  Entities  and  to 
enforce  the  PFMA  (by  implementing  the  specific  prescripts  therein  pertaining 
to  risk  management)  in  Municipal  Entities. 

Audit  Committee: 

The  Audit  Committee  is  responsible  for  assisting  the  Accounting  Officer  in 
addressing  its  oversight  requirements  of  risk  management  and  evaluating  and 
monitoring  the  institution’s  performance  with  regards  to  risk  management. 

Risk  Management  Committee: 

The  Risk  Management  Committee  is  responsible  for  oversight  of  the  quality, 
integrity  and  reliability  of  the  institutions  risk  management  processes  and  risk 
responses.  An  important  part  of  the  Committees  mandate  is  to  provide 
recommendations  to  the  Accounting  Officer  to  continuously  improve  the 
management  of  specific  risks  as  well  as  the  overall  process  of  risk 
management. 
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7.6  Executive  Authority: 

7.6.1  The  Executive  Authority  is  accountable  to  Council  in  terms  of  the  achievement 
of  the  goals  and  objectives  of  the  institution.  In  this  context  the  Executive 
Authority  should  take  an  interest  in  ERM  to  the  extent  necessary  to  obtain 
comfort  that  properly  established  and  functioning  systems  of  risk  management 
are  in  place  to  protect  the  institution. 

7.7  Internal  Auditors: 

7.7.1  Internal  Auditors  are  responsible  for  providing  independent  assurance  on  the 
effectiveness  of  risk  management  in  the  institution.  This  involves  providing 
assurance  that  all  material  risks  have  been  identified  and  assessed  and  that 
control  systems  implemented  to  treat  such  risks  are  both  adequate  and 
effective. 

8.  EALUATION  OF  ERM 

8.1  Evaluation  of  the  effectiveness  of  the  ERM  is  vital  to  ensure  that  benefits  of 
implementing  ERM  are  realised.  Often  ERM  initiatives  fail  to  add  value 
because  of  the  absence  of  pre-determined  goals  and  targets  and/or  the  lack 
of  appropriate  monitoring. 

8.2  The  value  of  risk  management  is  evaluated  by  measuring  performance  against 
pre-set  goals,  objectives  and  key  performance  indicators  which  are  aligned  to 
the  overall  goals  and  objectives  of  the  institution. 

9.  CONTINUOUS  IMPROVEMENT 

9.1  Risk  management,  like  any  business  activity  should  be  continuously  improved. 

This  means  that  the  institution  will  always  strive  to  move  from  its  current  level 
of  risk  maturity  to  a  more  mature  level  of  risk  maturity.  This  maturity  can 
include  improvements  in  risk  governance,  risk  identification,  risk  assessment, 
risk  monitoring  and  risk  optimisation. 


i 
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10.  REVIEW  OF  RISK  POLICY 

10.1  The  Committee  shall  review  the  risk  policy  and  recommend  to  Council  for 

approval  any  amendments  that  may  be  required. 
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